Methods of Limiting the Domain Name Service Traffic Against Distributed Denial of Service Attacks
Keywords:
DNS, Denial of Service, DDoS, Amplification Attack, BINDAbstract
The goal of the research described in this paper is to find methods of limiting the Domain Name Service (DNS) traffic against Distributed Denial of Service (DDoS) Attacks. Since DNS is a core network service, the protection of DNS servers is vital for the whole network infrastructure. In view of the different forms of DDoS attacks on DNS servers (like the DNS Amplification Attack), the implementation of effective preventive methods becomes very important. This article describes the research work done in the Academic Scientific Research Computer Network of Armenia (ASNET-AM) managed by the Institute for Informatics and Automation Problems (IIAP) of the National Academy of Sciences of the Republic of Armenia (NAS RA), targeted to the deployment of the improved methods of limiting the DNS traffic against DDoS attacks. Special attention was given to User Diagram Protocol (UDP)-based Amplification Attacks resulting in Distributed Reflective Denial of Service (DRDoS) attack. This paper includes a description of best practice configuration of protection methods for the most widely used Name Server Software - “Berkeley Internet Name Domain” (BIND9) package.
References
UDP: User Datagram Protocol,[Online]. Available: http://tools.ietf.org/html/rfc768
SIP: Session Initiation Protocol, [Online]. Available: http://tools.ietf.org/html/rfc3261
(February, 2014), SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure, (An Advisory from the ICANN Security and Stability Advisory Committee (SSAC)), [Online]. Available: https://www.icann.org/en/system/files/files/sac-065-en.pdf
(March 07, 2014), UDP-based Amplification Attacks Alert (TA14-017A), [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA14-017A
(July 22, 2013), DNS Amplification Attacks Alert (TA13-088A),[Online]. Available: https://www.us-cert.gov/ncas/alerts/TA13-088A
G. Kambourakis, T. Moschos, D. Geneiatakis and S. Gritzali,“Detecting DNS amplification attacks”, Available:http://www.dgeneiatakis.com/papers/conferences/conference-08.pdf
(March 17, 2006), Randal Vaughn, Gadi Evron, “DNS Amplification Attacks”, [Online]. Available: http://crt.io/DNS-Amplification-Attacks.pdf
“Berkeley Internet Name Domain”, BIND,[Online]. Available: http://www.isc.org/downloads/bind/
A.Petrosyan and E.Prokhorenko, “Улучшенная модель распределенной системы DNS для сети ASNET-AM”, Proceedings of the Conference CSIT’2013, pp. 387-388, Yerevan, 2013.
Strengthen network defenses by using a DMZ, [Online]. Available: http://www.techrepublic.com/article/solutionbase-strengthen-network-defenses-by-using-admz/
(February 14, 2013), T. Rozekra and J. de Koning, “Defending against DNS reflection amplification attacks”, [Online]. Available: http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
"Response Rate Limiting with BIND", Eddy Winstead (Internet Systems Consortium (ISC)), APRICOT (Asia Pacific Regional Internet Conference on Operational Technologies), Asia Pacific’s Premier Regional Internet Summit 2014, [Online]. Available: https://conference.apnic.net/data/37/apricot-2014-rrl_1393309768.pdf
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
